Open Source SBOM Creator Tools with Highest Average Quality Score (last 30 days)
Strictly based on the quality scores of SBOMs generated from top container images and repositories
Quality score for a public repository of SBOM samples built with Open Source tools
Part of the Interlynk Open Source Initiative
Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
A crucial aspect of software security and supply chain risk management is the emergence of a "Software Bill Of Materials" (SBOM).
An SBOM is essentially a nested inventory or list of ingredients that constitute software components.
SBOM can be generated for any programmable product or compopnent such as IoT devices, operating systems and web, mobile or infrastructure applications, software components, including open source libraries, container images, and executables.
NTIA recommends building SBOM in one of the three specifications - CycloneDX, SPDX and SWID. These specifications support a variety of file formats: Tag-Value, XML, JSON and YAML among others.
Once created, SBOM provides an multi-faceted artifact that can be used for tracking componet and license inventory to manage compliance risks, tracking known and new vulnerabilities to manage security risks, independent validation of included components to manage software supply chain security risks and can be combined with other artifacts (VEX, attestations) to communicate state of the software in an automated fashion.
To encourage widespread adoption of SBOM, it is essential to maintain high-quality tools for generating and utilizing SBOMs.
To this end, CISA has released "The Minimum Elements for a Software Bill of Materials (SBOM)" document, while OWASP is developing Software Component Verification Standard (SCVS) BOM Maturity Model, to provide guidelines for improving SBOM quality.
Today, the SBOM generation is getting easier by the day. However the quality of the generated SBOM continue to have room for improvement.
Interlynk's SBOM Quality Score Star is a customizable checklist for the content of the SBOM and a Golang (go) application for applying that checklist.
It is open source and incorporates the best known guideliness to help improve the quality and therefore effectiveness of SBOM.
SBOM Quality Score can be used proactively to assess and make informed decisions about what to include in an SBOM as well as while accepting SBOM from external parties.
SBOM Quality Scoring is built on a set of SBOM Quality Checks that are applied to the SBOM.
The Quality Checks are categorized in five categories: Structural, Semantic, NTIA-Minimum-Elements, Quality and Sharing.
Learn more about the list of checks, scoring criteria, and remediation for each check in the detailed documentation Discuss.
SBOM Benchmark is a collection of sbom examples in CycloneDX and SPDX formats. These examples are generated for common open source repositories and container images using open-source SBOM tools.
Additionally, the examples included above have been evaluated against the SBOM Quality Score. You can use these SBOM samples to improve your understanding of how SBOMs work in practice and common pitfalls with SBOM.
You can also use SBOM Benchmark to host result of your SBOM Quality Score without uploading SBOM anywhere by using the `share` command in sbomqs - SBOM Quality Scoring Tool Star.
If you want to get involved in the project or have ideas you'd like to chat about, we'd love to connect Follow @interlynk-io.